JavaScript attack aimed to reroute bitcoin transactions

Share

Written by

A newly identified JavaScript vulnerability in StatCounter, a popular web analytics platform, allowed hackers to attempt to re-route bitcoin transfers associated with a specific cryptocurrency exchange.

Attackers were able to inject a piece of their own code into JavaScript associated with StatCounter’s system, according to research from ESET. The malicious code searches for URLs that contain “myaccount/withdraw/BTC,” with the intention of replacing the destination address of transfers with an address belonging to the attackers, ESET reports.

The attack target appears to be cryptocurrency trading site Gate.io, the report says, given that it is the only one that uses the “myaccount/withdraw/BTC” Uniform Resource Identifier (URI).

“The users’ funds are safe,” Gate.io said, but it urged customers to maximize the security levels on their accounts.

ESET said it notified the company as soon as it discovered the hack, which it labeled as a “supply chain” attack, given where the malicious code appeared. The company said Wednesday that it has stopped using StatCounter’s services and removed the malicious script.

The malicious code is actually added to the middle of StatCounter’s JavaScript, which makes it harder to detect via casual observation, the report says. Webmasters put the JavaScript into pages so StatCounter’s platform can collect statistics about traffic and users.

Most of the malicious bitcoin transactions were undetected initially by users, ESET says, because the redirection in addresses only occurs after the transfer is submitted.

Gate.io handles several million dollars in transactions daily, according to coinmarketcap.com.

ESET notes that the attacker’s domain had already been suspended in 2010 for abuse.